There is nothing broken with Ubuntu, just people not understanding how configuration files work in Linux, choosing to enable password auth in SSH during installation, or using a cloud provider that provisions instances with passwords and overrides the default.
You can still configure it to be key only, you just need to put your own override as a file in /etc/ssh/sshd_config.d/ rather than /etc/ssh/sshd_config. The files are read ins order, so your filename needs to sort after the 50-cloud-init.conf file.
This would work:
echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/60-password-auth.conf